CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40190 – ext4: guard against EA inode refcount underflow in xattr update
https://notcve.org/view.php?id=CVE-2025-40190
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: guard against EA inode refcount underflow in xattr update syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA inode refcount that is already <= 0 and then applies ref_change (often -1). That lets the refcount underflow and we proceed with a bogus value, triggering errors like: EXT4-fs error: EA inode
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40188 – pwm: berlin: Fix wrong register in suspend/resume
https://notcve.org/view.php?id=CVE-2025-40188
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: pwm: berlin: Fix wrong register in suspend/resume The 'enable' register should be BERLIN_PWM_EN rather than BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there will be cpu exception then kernel panic during suspend/resume. In the Linux kernel, the following vulnerability has been resolved: pwm: berlin: Fix wrong register in suspend/resume The 'enable' register should be BERLIN_PWM_EN rather than BERLIN_PWM_ENABLE, otherwi... • https://git.kernel.org/stable/c/bbf0722c1c663b08f612bd8c58af27f45aa84862 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40187 – net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()
https://notcve.org/view.php?id=CVE-2025-40187
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0 and sctp_ulpevent_make_authkey() returns 0, then the variable ai_ev remains zero and the zero will be dereferenced in the sctp_ulpevent_free() function. In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() If new_... • https://git.kernel.org/stable/c/30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b •
CVSS: 6.6EPSS: 0%CPEs: 9EXPL: 0CVE-2025-40186 – tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().
https://notcve.org/view.php?id=CVE-2025-40186
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request(). syzbot reported the splat below in tcp_conn_request(). [0] If a listener is close()d while a TFO socket is being processed in tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk and calls inet_child_forget(), which calls tcp_disconnect() for the TFO socket. After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(), where reqsk_put() is called due t... • https://git.kernel.org/stable/c/7ec092a91ff351dcde89c23e795b73a328274db6 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40183 – bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}
https://notcve.org/view.php?id=CVE-2025-40183
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} Cilium has a BPF egress gateway feature which forces outgoing K8s Pod traffic to pass through dedicated egress gateways which then SNAT the traffic in order to interact with stable IPs outside the cluster. The traffic is directed to the gateway via vxlan tunnel in collect md mode. A recent BPF change utilized the bpf_redirect_neigh() helper to forward packets after the arrival and decap... • https://git.kernel.org/stable/c/b4ab31414970a7a03a5d55d75083f2c101a30592 •
CVSS: 6.6EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40180 – mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop
https://notcve.org/view.php?id=CVE-2025-40180
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop The cleanup loop was starting at the wrong array index, causing out-of-bounds access. Start the loop at the correct index for zero-indexed arrays to prevent accessing memory beyond the allocated array bounds. In the Linux kernel, the following vulnerability has been resolved: mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop The cleanup loop was starti... • https://git.kernel.org/stable/c/4981b82ba2ff87df6a711fcd7a233c615df5fc79 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40178 – pid: Add a judgment for ns null in pid_nr_ns
https://notcve.org/view.php?id=CVE-2025-40178
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: pid: Add a judgment for ns null in pid_nr_ns __task_pid_nr_ns ns = task_active_pid_ns(current); pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns); if (pid && ns->level <= pid->level) { Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns. For example: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DA... • https://git.kernel.org/stable/c/75dbc029c5359438be4a6f908bfbfdab969af776 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40173 – net/ip6_tunnel: Prevent perpetual tunnel growth
https://notcve.org/view.php?id=CVE-2025-40173
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd ("net: ip_tunnel: prevent perpetual headroom growth"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this ... • https://git.kernel.org/stable/c/8eb30be0352d09165e94a41fef1c7b994dca0714 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40170 – net: use dst_dev_rcu() in sk_setup_caps()
https://notcve.org/view.php?id=CVE-2025-40170
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: net: use dst_dev_rcu() in sk_setup_caps() Use RCU to protect accesses to dst->dev from sk_setup_caps() and sk_dst_gso_max_size(). Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(), and ip_dst_mtu_maybe_forward(). ip4_dst_hoplimit() can use dst_dev_net_rcu(). In the Linux kernel, the following vulnerability has been resolved: net: use dst_dev_rcu() in sk_setup_caps() Use RCU to protect accesses to dst->dev from sk_setup_caps() and sk_dst... • https://git.kernel.org/stable/c/4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40168 – smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().
https://notcve.org/view.php?id=CVE-2025-40168
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match(). smc_clc_prfx_match() is called from smc_listen_work() and not under RCU nor RTNL. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dst_dev_rcu(). Note that the returned value of smc_clc_prfx_match() is not used in the caller. In the Linux kernel, the following vulnerability has been resolved: smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_... • https://git.kernel.org/stable/c/a046d57da19f812216f393e7c535f5858f793ac3 •